COMMAND
eTrust Access Control (formerly SeOS)
SYSTEMS AFFECTED
eTrust Access Control
PROBLEM
Sanjay Venkat found following. eTrust Access Control (formerly
SeOS) default installation vulnerable to root level compromise.
In working with eTrust Access Control(SeOS) Sanjay found that the
default installation can be compromised in order to gain root
access to the machines. The attacker is required to be on the
same network as the SeOS database and know some basic information
that can be easily gathered through well know info gathering
techniques.
SeOS is a host based access control utility which runs on Unix
and WinNT and provides granular control to files and resources on
the operating system based on access rules stored in a local
database. Internally, SeOS operates by intercepting system calls
at the kernel and checks the request against the local SeOS
database.
SeOS does a fair bit to protect its own resources and getting into
a discussion on that is beyond the scope of this posting.
SeOS allows remote management of the local database from other
systems where SeOS has been installed and here is where the system
might be compromised.
Updates to the SeOS database require both of the following
conditions to be set
1. Access to Administer the database and
2. Administration permissions from a specific terminal(machine)
Thus SeOS can be setup to accept remote updates to the SeOS
database from authenticated users and from selected machines. The
same condition must be true to update a remote database.
The remote database of a SeOS machine can be compromised and made
to accept updates from the attacker when the attacker connects to
the database masquerading as a legitimate administrator.
Steps:
1. Attacker machine runs a default installation of SeOS and runs
under the same account name as the remote Administrator.
2. Attacker machine assumes the same name and IP address as
administration terminal.
3. Attacker connects to the local database of the Attacker machine
and later connects to the Remote database using the following
command host <remote_database>@<attacked_machine>
4. The Attacker can now administer SeOS which also allows creation
of new accounts on the operating system
SOLUTION
The Attacker is easily able to impersonate the remote
administrator even though the traffic is designed to be encrypted.
This is because the encryption key is know to the attacker
(default key is available on the eTrust CD ROM). *most* of the
SeOS implementation today still use the default key making these
systems easily compromised.
In order to protect against such an attack, it is recommended
that the default encryption key be changes during installation.
Even though the default installation does not require this, it is
recommended that the encryption key be changed on all SeOS hosts.